Morning Risk Report: The SFO’s Very Bad Day

Whoops. The Serious Fraud Office said Thursday it had accidentally sent information from a past bribery investigation into BAE Systems plc to the wrong party. While embarrassing, the accidental data loss could have been worse. BAE is the country’s largest defense contractor, but according to the SFO, the data did not relate to national security. Phew. Still, the episode highlights an axiom that many cybersecurity experts have been preaching for years — most data losses are the result of human error.

The SFO said the data constituted 3% of the total data in the case, which was settled in 2010, and consisted of 32,000 document pages, 81 audio tapes and electronic media. According to the SFO, 98% of the material has been recovered and efforts continue to recover all the remaining material that has not already been destroyed by the recipient. An SFO spokeswoman declined to elaborate on what was contained in the data, and a BAE spokesman did not immediately respond to a request for comment.

The silver lining here for the SFO is, not only does it appear to have averted disaster, but it may have been alerted to a sieve in its internal controls. According the agency, SFO Director David Green had Peter Mason, the former director of security at Westminster Palace, review the incident, and begun implementing Mason’s recommendations including “re-drafting of the responsibilities of the SFO’s Senior Information Risk Owner” and “raising the profile of data handling as a key risk in the SFO’s business.” The SFO would also do well to heed a recent study by the Ponemon institute that found two-thirds of all data breaches in 2012 were caused by human error.

Readers can subscribe to The Morning Risk Report here. Follow us on Twitter at @WSJRisk.

EXCLUSIVE ON RISK & COMPLIANCE JOURNAL:

Cybercrime ring leader sentenced. A leader in a cybercrime ring that stretched from Brooklyn to Ukraine was sentenced Thursday, and 12 more people pleaded guilty for their roles in the gang that swiped 95,000 credit cards and stole more than $5 million. The eight-year investigation resulted in a total of 15 people being convicted of trafficking in the stolen credit card numbers, Manhattan District Attorney Cyrus Vance said Thursday. Douglas Latta, 40 years old, was convicted in June by a jury on charges of grand larceny, criminal possession of stolen property, scheme to defraud and conspiracy. He was sentenced to 22 to 44 years behind bars. Two others–Egor Shevelev and Anna Ciano–were convicted on similar charges last month. Shevelev was sentenced to 13.5 to 40 years, while Ciano was sentenced to 19 to 47 years.

Top cyber experts talk public-private cooperation. The financial-services industry is doing an exemplary job of sharing cyber-threat data among companies, a panel of top government officials and cybersecurity experts said this week. The Financial Services Information Sharing and Analysis Center stands out in a world where cooperation on cyber threats between companies—as well as among the public and private sectors—can be complicated, said a high-wattage panel at the International Conference on Cyber Security in New York on Tuesday.

COMPLIANCE

SAC business plan goes to judge. The WSJ reports SAC Capital Advisors LP and prosecutors asked a federal judge to approve an agreement that would allow the hedge-fund giant to maintain business operations but restrict its ability to move assets elsewhere while facing criminal insider-trading charges, according to filings related to the case. The terms proposed by SAC and the Manhattan U.S. Attorney’s Office would require the firm to maintain at least 85% of the “aggregate value” of assets owned by the firm’s “entity defendants” as of July 1, in exchange for its continuing ability to engage in lawful operations, according to the filings. If the assets fell below the specified level in a given month, it would be required to “replenish” them within five days after the end of that month, according to the filings.

Businesses push for more low-skill visas. The WSJ reports as Congress considers an immigration overhaul, an eclectic group of businesses is stepping up in support, eager to take advantage of new categories of low-skilled immigrant laborers the legislation would allow. Proposals in both the House and Senate would allow hundreds of thousands of foreign workers to take on a broader set of U.S. jobs, opening a path for more immigrants to work on dairy farms, in meatpacking plants and on golf courses.

‘London Whale’ unlikely to face charges. The WSJ reports Bruno Iksil, the former trader known as the “London whale,” is unlikely to face charges related to bets that backfired into losses of more than $6 billion for J.P. Morgan Chase & Co., according to people close to the matter. The French citizen, who worked in the London outpost of J.P. Morgan’s Chief Investment Office, made many of the giant wagers in corporate credit investments that piled up losses starting in early 2012, led to the exit of a top J.P. Morgan executive and tarnished the company’s reputation as one of Wall Street’s savviest risk managers. For roughly a year, the Justice Department has been trying to determine if traders responsible for the bets knowingly misvalued the positions to hide or understate the severity of the potential losses, according to people familiar with the investigation. The Securities and Exchange Commission also is examining the trading fiasco.

German regulators said to review off-balance-sheet loans. German regulators will review how the country’s banks made loans that didn’t appear on their balance sheets, obscuring the risk to investors, said two people briefed on the talks. Bloomberg reports the inquiry, led by the Bundesbank and Bafin, will focus on whether banks properly applied accounting rules when making the loans, said one of the people, who asked not to be identified because the investigation hasn’t been made public.

Chinese regulators visit Novo Nordisk plant. The WSJ reports Chinese regulators visited a Novo Nordisk production facility in northern China last week and asked for information on the Danish drug maker’s operations, as regulators are increasing scrutiny of foreign pharmaceutical companies in the market. Chinese regulators visited a Novo Nordisk plant in the northern city of Tianjin on Aug. 1 and requested information, a spokesman said on Friday. The reason for the visit was unclear, he said. “The AIC hasn’t accused Novo Nordisk of any wrongdoing,” the spokesman said, referring to China’s Administration for Industry and Commerce.

Goldman is sued over aluminum warehousing. The WSJ reports that a steel-railings manufacturer and a scrap-metal dealer have joined to sue Goldman Sachs Group Inc., adding to the Wall Street firm’s legal headaches stemming from allegations it manipulated the aluminum market. Viva Railings LLC and Regal Recycling Inc. accused Goldman and two subsidiaries of hoarding aluminum in warehouses to boost the metal’s price artificially, the companies wrote Thursday in their lawsuit in U.S. District Court in Manhattan. The suit is the latest action filed by aluminum buyers as metal warehousing firms’ practices have drawn fire from regulators and politicians.

GOVERNANCE

Carlos Slim makes KPN move. The WSJ reports Mexican telecommunications firm America Movil SAB Friday increased its efforts to build up a long-term presence in Europe, announcing an offer for Royal KPN NV that values the Dutch company at about €10.25 billion ($13.72 billion). America Movil, controlled by Mexican billionaire Carlos Slim, said it aims to acquire a majority stake in KPN, after buying a 29.77% stake in the embattled firm last year. It also bought a minority stake in Telekom Austria AG, having exhausted its possibilities for acquisitions in Latin America where it is the largest mobile phone operator.

Investor William Ackman targets J.C. Penney’s CEO. The WSJ reports J.C. Penney Co.’s largest shareholder is pressing the board to quickly replace its chief executive, as the battered department-store chain struggles to turn around a deep slide in sales. The move to unseat interim CEO Myron “Mike” Ullman sets up a standoff between hedge fund manager William Ackman, who owns nearly 18% of the company’s stock, and a board that was badly burned the last time it went along with his wishes.

DATA SECURITY

Cutting CIOs out of cyber-risk decisions is ‘bad idea’. The WSJ reports more companies are thinking about buying cyber insurance, but they’re not consulting the CIO in most cases. Policies can insure against direct loss, legal liability, the cost of downtime and exposure to third-parties if, say, credit card numbers are stolen. Risk managers are most responsible for evaluating and selecting insurance providers, followed by compliance officers, chief information security officers and business leaders, according to a report, Thursday, by the Ponemon Institute, a privacy and security think tank. Only 8% of CIOs are responsible for evaluating and selecting the insurance provider as opposed to 40% of risk managers, according the report, sponsored by Experian Information Solutions Inc. In many cases, risk managers are not even consulting IT staff.

Encrypted email service thought used by Snowden shuts down. An encrypted email service believed to have been used by fugitive Edward Snowden shut down abruptly on Thursday amid a legal fight that appeared to involve U.S. government attempts to win access to customer information, Reuters reports. “I have been forced to make a difficult decision: to become complicit in crimes against the American people, or walk away from nearly 10 years of hard work by shutting down Lavabit,” Lavabit LLC owner Ladar Levison wrote in a letter that was posted on the company’s website. Also on Thursday, an executive with a better-known provider of secure email said his company had shut down that service. Jon Callas, co-founder of Silent Circle Inc., said on Twitter and in a blog post that Silent Circle had ended Silent Mail.

NSA to cut system administrators to limit data access. The National Security Agency said Thursday it intends to eliminate about 90% of its system administrators to reduce the number of people with access to secret information, Reuters reports. Keith Alexander, the director of the NSA told a cybersecurity conference in New York City that automating much of the work would improve security. Using technology to automate much of the work now done by employees and contractors would make the NSA’s networks “more defensible and more secure,” as well as faster, he said.

Tech execs talk surveillance with Obama. President Barack Obama hosted Apple Inc. CEO Tim Cook, AT&T Inc. CEO Randall Stephenson, Google Inc. computer scientist Vint Cerf and other tech executives and civil liberties leaders on Thursday for a closed-door meeting about government surveillance, Politico reports. The session, which Mr. Obama attended himself, followed a similar gathering earlier this week between top administration officials, tech-industry lobbyists and leading privacy hawks, the sources said. Those earlier, off-the-record discussions centered on the controversy surrounding the NSA as well as commercial privacy issues such as online tracking of consumers.

Taming the spies of online advertising. We’re about to see what happens when industry self-regulation fails, the WSJ writes. The FTC and consumer groups have long wanted a do-not-track protocol that can guard privacy. The idea is to give Internet users a one-click option to prevent marketing firms and websites from placing “cookies” on their computers. But the effort to find a solution through industry self-regulation suffered a nervous breakdown this summer. Browsers such as Apple’s Safari already have cookie-blocking capability. And it’s likely to get refined as consumers and regulators look for better solutions.

Under the ASU, inventory is “measured at the lower of cost and net realizable value,” which eliminates the need to determine replacement cost and evaluate whether it is above the ceiling net realizable value or below the floor. The FASB did not amend other guidance on measuring inventory, such as the LIFO, FIFO and average cost method. In addition to reducing complexity, the proposal would make U.S. GAAP more comparable to IFRS.

Risk & Compliance Bureau

About Risk & Compliance

Risk & Compliance provides news and commentary to corporate executives and others who need to understand, monitor and control the many risks that can tarnish brands, distract management and harm investors. Its content spans governance, risk and compliance and includes analysis of the significance of laws and regulations, the risks inherent in global expansion and the protective moves taken by companies.